html.c: use correct escaping in html attributes

First, an apostrophe is not a quote. Second, we also need to escape
quotes. And finally, quotes are encoded as '"', not '&quote;'.

Sighned-off-by: Lars Hjemli <hjemli@gmail.com>

diff --git a/html.c b/html.c
index d7d9fd7007ff764c17ead46f23f00eaf44ade142..66ba65dcf6245d6e7d78ccd3d8ac1f57376fb7d8 100644 (file)
--- a/html.c
+++ b/html.c
@@ -112,14 +112,16 @@ void html_attr(char *txt)
        char *t = txt;
        while(t && *t){
                int c = *t;
-               if (c=='<' || c=='>' || c=='\'') {
+               if (c=='<' || c=='>' || c=='\'' || c=='\"') {
                        write(htmlfd, txt, t - txt);
                        if (c=='>')
                                html("&gt;");
                        else if (c=='<')
                                html("&lt;");
                        else if (c=='\'')
-                               html("&quote;");
+                               html("&#x27;");
+                       else if (c=='"')
+                               html("&quot;");
                        txt = t+1;
                }
                t++;